Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Need assistance removing NTOSKRNL-HOOK
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
Page 1 of 3 1 23
 
LinkBack Thread Tools
Old 07-03-2009, 06:00 PM   #1 (permalink)
Registered User
 
Join Date: Jul 2009
Posts: 28
OS: Windows XP


Need assistance removing NTOSKRNL-HOOK
Hello all,

I found this thread with a similar resolution

Ntoskrnl-hook

However, after reading the solution for using this particular software I am not sure if I would need to apply the same procedure so I am posting here.

Same deal. Every time I run McAfee, it says NTOSKRNL-HOOK is removed but it always appears every time I run it again. Also, Malaware Bytes - Anti-Malware cannot pick it up. I ran both programs on Safe Mode as well. No dice.

If this helps, GMER gave me this warning after the scan completion:

Warning!!

GMER has found system modification caused by ROOTKIT activity

This was the line:

C:\WINDOWS\system32\drivers\hjgruissamdvmg.sys 68096 bytes executable

Here is the information. Thank you very much for the assistance.


DDS (Ver_09-06-26.01) - NTFSx86
Run by Paul Jacobsen at 17:00:36.50 on Fri 07/03/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.533 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\USB TV\EM28XX\BDARemote.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Documents and Settings\Paul Jacobsen\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Paul Jacobsen] c:\documents and settings\paul jacobsen\Paul Jacobsen.exe /i
uRun: [<NO NAME>] c:\docume~1\paulja~1\locals~1\temp\dmc6x6.exe
mRun: [nwiz] nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bdarem~1.lnk - c:\program files\usb tv\em28xx\BDARemote.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1217351185015
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: XHZZicfwj - {E8CE9841-4264-32EB-55BF-6752BDFD4EF2} - c:\windows\system32\ejqtsv.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\paulja~1\applic~1\mozilla\firefox\profiles\gjw7b1wl.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-6-24 201320]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 72944]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-6-24 359248]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee Real-time Scanner;c:\program files\mcafee\virusscan\Mcshield.exe [2009-6-24 144704]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-6-23 24652]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2007-7-20 93696]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-6-24 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-6-24 35240]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [2006-8-29 10664]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-6-24 33832]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-6-24 40488]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 7408]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-6-24 695624]

=============== Created Last 30 ================

2009-07-03 14:01 <DIR> --d----- c:\program files\common files\ParetoLogic
2009-07-03 14:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ParetoLogic
2009-06-25 19:45 0 a------- c:\windows\ativpsrm.bin
2009-06-25 19:41 <DIR> --d----- c:\program files\common files\ATI Technologies
2009-06-25 19:40 <DIR> --d----- c:\program files\USB TV
2009-06-25 19:39 593,920 -------- c:\windows\system32\ati2sgag.exe
2009-06-25 19:39 <DIR> --d----- c:\program files\ATI Technologies
2009-06-25 19:37 <DIR> --d----- C:\AMD
2009-06-25 19:31 664 a------- c:\windows\system32\d3d9caps.dat
2009-06-24 19:28 9,895 a------- c:\windows\system32\Config.MPF
2009-06-24 19:26 33,832 a------- c:\windows\system32\drivers\mferkdk.sys
2009-06-24 19:26 201,320 a------- c:\windows\system32\drivers\mfehidk.sys
2009-06-24 19:26 79,304 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-06-24 19:26 40,488 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-06-24 19:26 35,240 a------- c:\windows\system32\drivers\mfebopk.sys
2009-06-24 19:25 113,952 a------- c:\windows\system32\drivers\Mpfp.sys
2009-06-24 19:25 <DIR> --d----- c:\program files\McAfee.com
2009-06-24 19:25 <DIR> --d----- c:\program files\common files\McAfee
2009-06-24 19:25 <DIR> --d----- c:\program files\McAfee
2009-06-23 15:12 <DIR> --d----- c:\docume~1\paulja~1\applic~1\Malwarebytes
2009-06-23 15:12 <DIR> --d----- c:\program files\Trend Micro
2009-06-23 15:12 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-23 15:12 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-23 15:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-23 15:12 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-23 15:01 <DIR> --d----- c:\program files\Windows Installer Clean Up
2009-06-23 15:01 <DIR> --d----- c:\program files\MSECACHE
2009-06-23 14:13 <DIR> --d----- c:\windows\system32\dllcache\cache
2009-06-23 13:51 <DIR> a-dshr-- C:\cmdcons
2009-06-23 13:48 161,792 a------- c:\windows\SWREG.exe
2009-06-23 13:48 155,136 a------- c:\windows\PEV.exe
2009-06-23 13:48 98,816 a------- c:\windows\sed.exe
2009-06-21 11:30 109 a--sh--- c:\windows\system32\3905853504.dat
2009-06-21 11:30 40,960 ---shr-- c:\windows\system32\activedsp.exe
2009-06-21 11:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\93535306
2009-06-21 11:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\13525314
2009-06-11 18:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Azureus
2009-06-11 18:51 <DIR> --d----- c:\docume~1\paulja~1\applic~1\Azureus
2009-06-06 01:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-06-06 01:58 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-06-06 01:58 <DIR> --d----- c:\docume~1\paulja~1\applic~1\SUPERAntiSpyware.com

==================== Find3M ====================

2009-07-03 12:58 58,368 a------- c:\windows\system32\spoolsv.exe
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 11:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-29 00:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 00:56 827,392 a------- c:\windows\system32\dllcache\wininet.dll
2009-04-29 00:56 827,392 a------- c:\windows\system32\dllcache\cache\wininet.dll
2009-04-29 00:56 233,472 -------- c:\windows\system32\dllcache\webcheck.dll
2009-04-29 00:56 1,159,680 a------- c:\windows\system32\dllcache\urlmon.dll
2009-04-29 00:56 671,232 a------- c:\windows\system32\dllcache\mstime.dll
2009-04-29 00:56 44,544 a------- c:\windows\system32\dllcache\pngfilt.dll
2009-04-29 00:56 105,984 -------- c:\windows\system32\dllcache\url.dll
2009-04-29 00:56 102,912 -------- c:\windows\system32\dllcache\occache.dll
2009-04-29 00:56 3,596,288 a------- c:\windows\system32\dllcache\mshtml.dll
2009-04-29 00:56 477,696 a------- c:\windows\system32\dllcache\mshtmled.dll
2009-04-29 00:56 193,024 a------- c:\windows\system32\dllcache\msrating.dll
2009-04-28 05:05 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-28 05:05 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-04-25 01:27 636,088 -------- c:\windows\system32\dllcache\iexplore.exe
2009-04-25 01:26 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 08:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 10:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll
2008-07-11 14:52 61,224 a------- c:\documents and settings\paul jacobsen\GoToAssistDownloadHelper.exe
2008-03-03 09:50 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLec.DAT
2008-03-03 09:50 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLds.DAT
2008-02-27 22:17 394 a------- c:\docume~1\paulja~1\applic~1\wklnhst.dat
2008-01-18 21:32 71,512 a------- c:\docume~1\paulja~1\applic~1\GDIPFONTCACHEV1.DAT
2007-08-29 18:08 20,480 a--sh--- c:\program files\Thumbs.db
2007-01-01 20:17 1 a------- c:\documents and settings\paul jacobsen\SI.bin
2004-03-11 16:55 4,709,818 a------- c:\program files\VS6sp64.cab
2004-03-11 16:55 71,964 a------- c:\program files\sp698ent.inf
2004-03-11 16:54 10,010,624 a------- c:\program files\VS6sp63.cab
2004-03-11 16:51 10,010,624 a------- c:\program files\VS6sp62.cab
2004-03-11 16:47 28,712,960 a------- c:\program files\VS6sp61.cab
2004-03-11 16:40 75,871 -------- c:\program files\sp698ent.stf
2004-03-11 16:40 1,636 -------- c:\program files\setupsp6.lst
2004-03-11 15:01 989,512 a------- c:\program files\vbrun60.cab
2004-03-10 22:39 60,699 a------- c:\program files\msstdfmt.cab
2004-03-10 22:39 37,721 a------- c:\program files\MSBind.CAB
2004-03-09 17:45 397,072 a------- c:\program files\mswless.ocx
2004-03-09 17:45 107,008 a------- c:\program files\msscript.ocx
2004-02-23 21:35 3,027,068 a------- c:\program files\msvbvm60.dbg
2004-02-17 21:56 110,080 -------- c:\program files\sp698ent.dll
2004-02-17 21:34 1,821,920 a------- c:\program files\vcredist.exe
2004-02-17 06:11 737,329 a------- c:\program files\msvcep.dll
2004-02-17 05:36 708,669 a------- c:\program files\msse.dll
2004-02-11 18:36 6,308 -------- c:\program files\readme.htm
2004-02-11 14:32 2,302 -------- c:\program files\eula.txt
2003-01-14 15:58 487,481 a------- c:\program files\jscript.dll
2003-01-14 15:58 438,330 a------- c:\program files\vbscript.dll
2001-03-30 12:54 149 -------- c:\program files\setup.ini
2000-11-29 16:34 4,291 -------- c:\program files\toc.htm
2000-07-15 15:43 84 -------- c:\program files\setup.tdf
2000-07-15 15:10 26,896 a------- c:\program files\dispex.dll
2000-06-13 13:47 2,718 -------- c:\program files\redist.txt
2000-06-13 12:08 46,189 a------- c:\program files\ocdb.h
2000-06-13 11:56 12,972 a------- c:\program files\sqloledb.h
2000-06-13 11:52 3,090 a------- c:\program files\adc.h
2000-06-13 11:52 2,289 a------- c:\program files\msremote.h
2000-06-13 11:52 1,387 a------- c:\program files\persist.h
2000-06-13 11:52 5,904 a------- c:\program files\simpdata.tlb
2000-06-13 11:52 1,710 a------- c:\program files\osptk.lib
2000-06-13 11:52 27,832 a------- c:\program files\simpdata.h
2000-06-13 11:52 5,797 a------- c:\program files\msdaosp.h
2000-06-13 11:52 1,432 a------- c:\program files\msdaora.h
2000-06-13 11:51 31,366 a------- c:\program files\oledb.lib
2000-06-13 11:51 2,112 a------- c:\program files\msdasc.lib
2000-06-13 11:51 2,492 a------- c:\program files\msdatsrc.tlb
2000-06-13 11:51 592,505 a------- c:\program files\oledb.h
2000-06-13 11:51 80,300 a------- c:\program files\oledbdep.h
2000-06-13 11:51 36,515 a------- c:\program files\oledberr.h
2000-06-13 11:51 31,675 a------- c:\program files\cmdtree.h
2000-06-13 11:51 31,424 a------- c:\program files\msdasc.h
2000-06-13 11:51 17,975 a------- c:\program files\msdasql.h
2000-06-13 11:51 13,176 a------- c:\program files\msdadc.h
2000-06-13 11:51 12,676 a------- c:\program files\msdatsrc.h
2000-06-13 11:51 1,451 a------- c:\program files\msdaguid.h
2000-06-13 11:47 146,332 a------- c:\program files\odbc32.lib
2000-06-13 11:47 75,418 a------- c:\program files\odbccp32.lib
2000-06-13 11:47 80,246 a------- c:\program files\sqlext.h
2000-06-13 11:47 30,383 a------- c:\program files\sql.h
2000-06-13 11:47 22,825 a------- c:\program files\sqlucode.h
2000-06-13 11:47 15,315 a------- c:\program files\odbcinst.h
2000-06-13 11:47 6,947 a------- c:\program files\sqltypes.h
2000-06-13 11:45 19,199 a------- c:\program files\jetoledb.h
2000-06-13 11:45 11,461 a------- c:\program files\msjetodb.h
2000-06-13 11:45 3,066 a------- c:\program files\jetoledb.idl
2000-06-13 11:45 1,350 a------- c:\program files\jetoledb.lib
2000-06-13 11:33 2,482 a------- c:\program files\mswless.dep
2000-06-13 11:31 384,395 a------- c:\program files\msado15.h
2000-06-13 11:31 384,395 a------- c:\program files\adoint.h
2000-06-13 11:31 138,092 a------- c:\program files\adomd.h
2000-06-13 11:31 51,135 a------- c:\program files\msado15.idl
2000-06-13 11:31 46,620 a------- c:\program files\adojet.h
2000-06-13 11:31 16,452 a------- c:\program files\adomd.idl
2000-06-13 11:31 8,521 a------- c:\program files\adojet.idl
2000-06-13 11:31 4,458 a------- c:\program files\icrsint.h
2000-06-13 11:31 3,061 a------- c:\program files\adoid.h
2000-06-13 11:31:14 A------- 1,273 c:\program files\msdshape.h
2008-03-24 17:19 88 ---shr-- c:\windows\system32\756A3564C3.sys
2008-03-24 17:19 2,828 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-01-14 13:05 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009011420090115\index.dat

============= FINISH: 17:02:18.29 ===============
Attached Files
File Type: zip Attach.zip (4.9 KB, 3 views)
Last edited by rpaulie; 07-03-2009 at 06:03 PM.
rpaulie is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 07-04-2009, 09:34 PM   #2 (permalink)
Analyst, Security Team
 
forhockey's Avatar
 
Join Date: Sep 2006
Location: Ontario, Canada
Posts: 2,948
OS: Windows 7 Ultimate


Re: Need assistance removing NTOSKRNL-HOOK
Hi rpaulie,

Please subscribe to this thread so that you are notified when you receive a reply. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Add Subscription.

--------------------------------------------------------------

Before beginning the proposed fix, read this post completely. Any questions should be kindly asked before proceeding. Ensure that there are no open browsers when carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

--------------------------------------------------------------

Delete any version of ComboFix you might have now.
  1. Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

    Link 1
    Link 2
    Link 3






    --------------------------------------------------------------------


    * IMPORTANT !!! Place combo-fix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.


    You can get help on disabling your protection programs here
  3. Double click on combo-fix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.

    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.

    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:

    The Recovery Console was successfully installed.



    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you (Located in C:\ComboFix.txt). Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.
__________________


Proud Member of ASAP
Proud Member of UNITE

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
forhockey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-05-2009, 09:03 AM   #3 (permalink)
Registered User
 
Join Date: Jul 2009
Posts: 28
OS: Windows XP


Re: Need assistance removing NTOSKRNL-HOOK
Hello forhockey,

I appreciate your assistance.

I have completed combo-fix and acquired the log.

Unfortunately this particular log produced a very long report which exceeds the character limit that I can post. I am attaching the file itself.

If you need me to post it on separate replies please let me know and I'll be happy to.
Attached Files
File Type: txt log.txt (286.3 KB, 9 views)
rpaulie is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-05-2009, 03:58 PM   #4 (permalink)
Analyst, Security Team
 
forhockey's Avatar
 
Join Date: Sep 2006
Location: Ontario, Canada
Posts: 2,948
OS: Windows 7 Ultimate


Re: Need assistance removing NTOSKRNL-HOOK
Hello,

There are a few things we need to scan before I craft your fix.

Please go to: VirusTotal
  • On the page you'll find a "Browse" button.
  • Next to the browse button you'll see a box to enter text.
  • Please copy/paste the following in BOLD:

    c:\documents and settings\Paul Jacobsen\Application Data\acccore\shalom.exe
  • Then click the "Send File" button just below.
  • This will scan the file. Please be patient.
  • Once scanned, copy and paste the results in your next reply.

If VirusTotal is busy, try the same at Jotti

Please repeat the same set of instructions for the following files:

c:\documents and settings\Paul Jacobsen\Application Data\Adobe\socks1.exe
c:\documents and settings\Paul Jacobsen\Application Data\AdobeUM\nomad.exe
c:\documents and settings\Paul Jacobsen\Application Data\Apple Computer\lego.exe


-------------------------------------------

Please reply back with the results from all 4 scans.
__________________


Proud Member of ASAP
Proud Member of UNITE

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
forhockey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-06-2009, 04:14 PM   #5 (permalink)
Registered User
 
Join Date: Jul 2009
Posts: 28
OS: Windows XP


Re: Need assistance removing NTOSKRNL-HOOK
Hello there,

Here is the one for the

c:\documents and settings\Paul Jacobsen\Application Data\acccore\shalom.exe

Antivirus Version Last Update Result
a-squared 4.5.0.18 2009.07.06 -
AhnLab-V3 5.0.0.2 2009.07.06 -
AntiVir 7.9.0.204 2009.07.06 -
Antiy-AVL 2.0.3.1 2009.07.06 -
Authentium 5.1.2.4 2009.07.06 -
Avast 4.8.1335.0 2009.07.06 -
AVG 8.5.0.386 2009.07.06 -
BitDefender 7.2 2009.07.06 -
CAT-QuickHeal 10.00 2009.07.06 -
ClamAV 0.94.1 2009.07.06 -
Comodo 1538 2009.07.02 -
DrWeb 5.0.0.12182 2009.07.06 -
eSafe 7.0.17.0 2009.07.06 -
eTrust-Vet 31.6.6598 2009.07.06 -
F-Prot 4.4.4.56 2009.07.06 -
F-Secure 8.0.14470.0 2009.07.06 -
Fortinet 3.117.0.0 2009.07.03 -
GData 19 2009.07.06 -
Ikarus T3.1.1.64.0 2009.07.06 -
Jiangmin 11.0.706 2009.07.06 -
K7AntiVirus 7.10.785 2009.07.06 -
Kaspersky 7.0.0.125 2009.07.06 -
McAfee 5668 2009.07.06 -
McAfee+Artemis 5668 2009.07.06 -
McAfee-GW-Edition 6.8.5 2009.07.06 -
Microsoft 1.4803 2009.07.06 -
NOD32 4221 2009.07.06 -
Norman 6.01.09 2009.07.06 -
nProtect 2009.1.8.0 2009.07.06 -
Panda 10.0.0.14 2009.07.06 -
PCTools 4.4.2.0 2009.07.06 -
Prevx 3.0 2009.07.06 -
Rising 21.37.04.00 2009.07.06 -
Sophos 4.43.0 2009.07.06 -
Sunbelt 3.2.1858.2 2009.07.05 -
Symantec 1.4.4.12 2009.07.06 -
TheHacker 6.3.4.3.364 2009.07.06 -
TrendMicro 8.950.0.1094 2009.07.06 -
VBA32 3.12.10.7 2009.07.06 -
ViRobot 2009.7.6.1820 2009.07.06 -
VirusBuster 4.6.5.0 2009.07.06 -
Additional information
File size: 11232 bytes
MD5 : 468ee00d1176b877652b7e95ada39d4d
SHA1 : 370c2666dba201eb0caeb08a222b13a927b14f98
SHA256: 680c2939c266c93acaadfd009111243309265600b90ebebae19cf83713674877
TrID : File type identification
Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
ssdeep: -
PEiD : -
RDS : NSRL Reference Data Set
rpaulie is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-06-2009, 04:15 PM   #6 (permalink)
Registered User
 
Join Date: Jul 2009
Posts: 28
OS: Windows XP


Re: Need assistance removing NTOSKRNL-HOOK
This is for the

c:\documents and settings\Paul Jacobsen\Application Data\Adobe\socks1.exe

Antivirus Version Last Update Result
a-squared 4.5.0.18 2009.07.06 -
AhnLab-V3 5.0.0.2 2009.07.06 -
AntiVir 7.9.0.204 2009.07.06 -
Antiy-AVL 2.0.3.1 2009.07.06 -
Authentium 5.1.2.4 2009.07.06 W32/Heuristic-CO2!Eldorado
Avast 4.8.1335.0 2009.07.06 -
AVG 8.5.0.386 2009.07.06 -
BitDefender 7.2 2009.07.06 -
CAT-QuickHeal 10.00 2009.07.06 -
ClamAV 0.94.1 2009.07.06 -
Comodo 1538 2009.07.02 -
DrWeb 5.0.0.12182 2009.07.06 -
eSafe 7.0.17.0 2009.07.06 -
eTrust-Vet 31.6.6598 2009.07.06 -
F-Prot 4.4.4.56 2009.07.06 W32/Heuristic-CO2!Eldorado
F-Secure 8.0.14470.0 2009.07.06 -
Fortinet 3.117.0.0 2009.07.03 -
GData 19 2009.07.06 -
Ikarus T3.1.1.64.0 2009.07.06 -
Jiangmin 11.0.706 2009.07.06 -
K7AntiVirus 7.10.785 2009.07.06 -
Kaspersky 7.0.0.125 2009.07.06 -
McAfee 5668 2009.07.06 -
McAfee+Artemis 5668 2009.07.06 -
McAfee-GW-Edition 6.8.5 2009.07.06 Heuristic.LooksLike.Win32.SuspiciousPE.P!80
Microsoft 1.4803 2009.07.06 -
NOD32 4221 2009.07.06 -
Norman 6.01.09 2009.07.06 -
nProtect 2009.1.8.0 2009.07.06 -
Panda 10.0.0.14 2009.07.06 -
PCTools 4.4.2.0 2009.07.06 -
Prevx 3.0 2009.07.07 -
Rising 21.37.04.00 2009.07.06 -
Sophos 4.43.0 2009.07.06 -
Sunbelt 3.2.1858.2 2009.07.05 VIPRE.Suspicious
Symantec 1.4.4.12 2009.07.06 -
TheHacker 6.3.4.3.364 2009.07.06 -
TrendMicro 8.950.0.1094 2009.07.06 -
VBA32 3.12.10.7 2009.07.06 -
ViRobot 2009.7.6.1820 2009.07.06 -
VirusBuster 4.6.5.0 2009.07.06 -
Additional information
File size: 422 bytes
MD5...: eac770fa68309a8261fdbfd98dff1a94
SHA1..: 306a299c323dfa7b1b3b0e929e9b38467f3d0673
SHA256: 80bcd75765a9b147607f223f9d99eddd15ea0876141fa57da5d68bb76946708b
ssdeep: 3:MpPqt/wlEh/jFkjXFeyxi4slltlml2mzlXlbp/stMlHvlt/9vl7//llrllTll/
l6:MxlEh/jKjXFeyclltA96ib1w
PEiD..: -
TrID..: File type identification
Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
PEInfo: -
PDFiD.: -
RDS...: NSRL Reference Data Set
-
packers (Kaspersky): PE_Patch
rpaulie is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-06-2009, 04:17 PM   #7 (permalink)
Registered User
 
Join Date: Jul 2009
Posts: 28
OS: Windows XP


Re: Need assistance removing NTOSKRNL-HOOK
And finally the

c:\documents and settings\Paul Jacobsen\Application Data\Apple Computer\lego.exe

Antivirus Version Last Update Result
a-squared 4.5.0.18 2009.07.06 -
AhnLab-V3 5.0.0.2 2009.07.06 -
AntiVir 7.9.0.204 2009.07.06 -
Antiy-AVL 2.0.3.1 2009.07.06 -
Authentium 5.1.2.4 2009.07.06 -
Avast 4.8.1335.0 2009.07.06 -
AVG 8.5.0.386 2009.07.06 -
BitDefender 7.2 2009.07.06 -
CAT-QuickHeal 10.00 2009.07.06 -
ClamAV 0.94.1 2009.07.06 -
Comodo 1538 2009.07.02 -
DrWeb 5.0.0.12182 2009.07.07 -
eSafe 7.0.17.0 2009.07.06 -
eTrust-Vet 31.6.6598 2009.07.06 -
F-Prot 4.4.4.56 2009.07.06 -
F-Secure 8.0.14470.0 2009.07.06 -
Fortinet 3.117.0.0 2009.07.03 -
GData 19 2009.07.07 -
Ikarus T3.1.1.64.0 2009.07.06 -
Jiangmin 11.0.706 2009.07.06 -
K7AntiVirus 7.10.785 2009.07.06 -
Kaspersky 7.0.0.125 2009.07.06 -
McAfee 5668 2009.07.06 -
McAfee+Artemis 5668 2009.07.06 -
McAfee-GW-Edition 6.8.5 2009.07.06 -
Microsoft 1.4803 2009.07.06 -
NOD32 4221 2009.07.06 -
Norman 6.01.09 2009.07.06 -
nProtect 2009.1.8.0 2009.07.06 -
Panda 10.0.0.14 2009.07.06 -
PCTools 4.4.2.0 2009.07.06 -
Prevx 3.0 2009.07.07 -
Rising 21.37.04.00 2009.07.06 -
Sophos 4.43.0 2009.07.06 -
Sunbelt 3.2.1858.2 2009.07.05 -
Symantec 1.4.4.12 2009.07.06 -
TheHacker 6.3.4.3.364 2009.07.06 -
TrendMicro 8.950.0.1094 2009.07.06 -
VBA32 3.12.10.7 2009.07.06 -
ViRobot 2009.7.6.1820 2009.07.06 -
VirusBuster 4.6.5.0 2009.07.06 -
Additional information
File size: 16141 bytes
MD5...: 134bb7104dcd1a3628ac4c1ca782a669
SHA1..: 28ad251c7dd74edd43af9cbdb58bd6dca6d3b8d6
SHA256: 6c69218157f71aa8e6efdd1238cca14fa493ee3da5b63d44db64c57307011acd
ssdeep: 192:njuBthI395/IkRy8pls9P8RXhp/zzdA8H/pUgpwz4q9TFiZn:WOzAkRyyly8
RXfzdbfpUA04i+
PEiD..: -
TrID..: File type identification
Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
PEInfo: -
PDFiD.: -
RDS...: NSRL Reference Data Set
-
rpaulie is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-06-2009, 05:12 PM   #8 (permalink)
Analyst, Security Team
 
forhockey's Avatar
 
Join Date: Sep 2006
Location: Ontario, Canada
Posts: 2,948
OS: Windows 7 Ultimate


Re: Need assistance removing NTOSKRNL-HOOK
Hello,

Open notepad and copy/paste the text in the quotebox below into it:

Code:
http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/391517-need-assistance-removing-ntoskrnl-hook.html#post2221423

Collect::
c:\windows\system32\3905853504.dat
c:\windows\system32\activedsp.exe
c:\documents and settings\Paul Jacobsen\Application Data\acccore\shalom.exe
c:\documents and settings\Paul Jacobsen\Application Data\Adobe\socks1.exe
c:\documents and settings\Paul Jacobsen\Application Data\AdobeUM\nomad.exe
c:\documents and settings\Paul Jacobsen\Application Data\Apple Computer\lego.exe
Folder::
c:\documents and settings\All Users\Application Data\13525314
c:\documents and settings\All Users\Application Data\93535306
c:\documents and settings\All Users\Application Data\Azureus
c:\documents and settings\Paul Jacobsen\Application Data\Azureus
Save this as CFScript




Referring to the picture above, drag CFScript into ComboFix.exe

Follow the prompts, and post the resulting log, C:\ComboFix.txt

Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis. Please submit "[4]-Submit_Date_Time.zip" by following the prompts.

Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file.
__________________


Proud Member of ASAP
Proud Member of UNITE

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
forhockey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-06-2009, 06:41 PM   #9 (permalink)
Registered User
 
Join Date: Jul 2009
Posts: 28
OS: Windows XP


Re: Need assistance removing NTOSKRNL-HOOK
Hello there,

I saved the quotebox as the CFScript file on notepad and ran it through
"Combo-Fix"

The computer rebooted and provided me with a new log file
which I attached.

Unfortunately I was unable to retrieve a prompt labeled, "[4]-Submit_Date_Time.zip"

Hope I didn't do anything wrong.

If you need anything else, feel free to let me know and I appreciate that hand.

ComboFix 09-07-06.02 - Paul Jacobsen 07/06/2009 20:18.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.561 [GMT -4:00]
Running from: c:\documents and settings\Paul Jacobsen\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Paul Jacobsen\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

file zipped: c:\documents and settings\Paul Jacobsen\Application Data\acccore\shalom.exe
file zipped: c:\documents and settings\Paul Jacobsen\Application Data\Adobe\socks1.exe
file zipped: c:\documents and settings\Paul Jacobsen\Application Data\AdobeUM\nomad.exe
file zipped: c:\documents and settings\Paul Jacobsen\Application Data\Apple Computer\lego.exe
file zipped: c:\windows\system32\3905853504.dat
file zipped: c:\windows\system32\activedsp.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\13525314
c:\documents and settings\All Users\Application Data\93535306
c:\documents and settings\All Users\Application Data\Azureus
c:\documents and settings\All Users\Application Data\Azureus\azCID.txt
c:\documents and settings\Paul Jacobsen\Application Data\acccore\shalom.exe
c:\documents and settings\Paul Jacobsen\Application Data\Adobe\socks1.exe
c:\documents and settings\Paul Jacobsen\Application Data\AdobeUM\nomad.exe
c:\documents and settings\Paul Jacobsen\Application Data\Apple Computer\lego.exe
c:\documents and settings\Paul Jacobsen\Application Data\Azureus
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\.certs
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\.keystore
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\.lock
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\active\AD9A604A3F94C1C03DE3FEB27839D7D73E72C434.dat
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\active\AD9A604A3F94C1C03DE3FEB27839D7D73E72C434.dat.bak
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\active\cache.dat
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\azureus.config
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\azureus.config.bak
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\azureus.statistics
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\azureus.statistics.bak
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\cnetworks.config
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\devices.config
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\devices.config.bak
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\dht\addresses.dat
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\dht\contacts.dat
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\dht\diverse.dat
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\dht\general.dat
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\dht\version.dat
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\downloads.config
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\downloads.config.bak
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\friends.config
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\ipfilter.cache
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\logs\AutoSpeedSearchHistory_1.log
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\logs\CNetworks_1.log
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\logs\debug_1.log
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\logs\Devices_1.log
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\logs\Friends_1.log
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\logs\MetaSearch_1.log
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\logs\NetStatus_1.log
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\logs\seltrace_1.log
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\logs\Subscriptions_1.log
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\logs\thread_1.log
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\logs\v3.ads_1.log
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\logs\v3.CMsgr_1.log
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\logs\v3.Friends_1.log
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\logs\v3.PMsgr_1.log
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\logs\v3.Stream_1.log
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\metasearch.config
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\metasearch.config.bak
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\net\pm_33287.dat
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\net\pm_default.dat
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\plugins\azupnpav\cd.dat
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\sidebarauto.config
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\subs\B4AB7A24BB81B47B5226.vuze
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\subscriptions.config
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\tables.config
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\timingstats.dat
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\tmp\AZU22427.tmp
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\tmp\AZU22428.tmp
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\tmp\AZU22429.tmp
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\tmp\AZU22430.tmp
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\tmp\AZU22431.tmp
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\tmp\AZU22432.tmp
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\tmp\AZU22433.tmp
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\tmp\AZU22434.tmp
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\tmp\AZU22435.tmp
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\tmp\AZU22436.tmp
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\tmp\AZU22437.tmp
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\torrents\ATK_Hairy_Fun_Cameron__295.4899899.TPB.torrent
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\tracker.config
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\tracker.config.bak
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\unsentdata.config
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\v3.Friends.dat
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\v3.Friends.dat.bak
c:\documents and settings\Paul Jacobsen\Application Data\Azureus\VuzeActivities.config
c:\windows\Installer\1d5c9.msp
c:\windows\system32\3905853504.dat
c:\windows\system32\activedsp.exe

Infected copy of c:\windows\system32\lsass.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\lsass.exe

Infected copy of c:\windows\system32\services.exe was found and disinfected
Restored copy from - c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe

c:\windows\system32\svchost.exe . . . is infected!!

Infected copy of c:\windows\system32\spoolsv.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\spoolsv.exe

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-06-07 to 2009-07-07 )))))))))))))))))))))))))))))))
.

2009-07-06 04:32 . 2009-07-06 04:32 -------- d-----w- c:\documents and settings\Paul Jacobsen\Application Data\vlc
2009-07-05 20:37 . 2009-07-05 20:37 -------- d-----w- c:\documents and settings\Paul Jacobsen\Application Data\GARMIN
2009-07-05 20:37 . 2009-07-05 20:37 -------- d-----w- c:\program files\Garmin GPS Plugin
2009-06-25 23:40 . 2009-06-25 23:40 -------- d-----w- c:\program files\USB TV
2009-06-25 23:39 . 2008-07-04 01:05 593920 ------w- c:\windows\system32\ati2sgag.exe
2009-06-25 23:39 . 2009-06-25 23:44 -------- d-----w- c:\program files\ATI Technologies
2009-06-25 23:37 . 2009-06-25 23:37 -------- d-----w- C:\AMD
2009-06-25 23:31 . 2009-06-25 23:31 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-06-24 23:26 . 2007-11-22 10:44 33832 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-06-24 23:26 . 2007-12-02 16:51 40488 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-06-24 23:26 . 2007-11-22 10:44 79304 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-06-24 23:26 . 2007-11-22 10:44 35240 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-06-24 23:26 . 2007-11-22 10:44 201320 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-06-24 23:25 . 2007-07-13 10:20 113952 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-06-24 23:25 . 2009-06-24 23:25 -------- d-----w- c:\program files\McAfee.com
2009-06-24 23:25 . 2009-06-24 23:25 -------- d-----w- c:\program files\Common Files\McAfee
2009-06-24 23:25 . 2009-06-25 21:10 -------- d-----w- c:\program files\McAfee
2009-06-23 19:28 . 2009-06-23 19:28 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-23 19:12 . 2009-06-23 19:12 -------- d-----w- c:\documents and settings\Paul Jacobsen\Application Data\Malwarebytes
2009-06-23 19:12 . 2009-06-23 19:12 -------- d-----w- c:\program files\Trend Micro
2009-06-23 19:12 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-23 19:12 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-23 19:12 . 2009-06-23 19:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-23 19:12 . 2009-07-01 18:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-23 19:01 . 2009-06-23 19:01 3584 ----a-r- c:\documents and settings\Paul Jacobsen\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2009-06-23 19:01 . 2009-06-23 19:01 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-06-23 19:01 . 2009-06-23 19:01 -------- d-----w- c:\program files\MSECACHE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-07 00:24 . 2008-06-15 20:29 -------- d-----w- c:\documents and settings\Paul Jacobsen\Application Data\acccore
2009-07-07 00:24 . 2007-01-09 03:46 -------- d-----w- c:\documents and settings\Paul Jacobsen\Application Data\AdobeUM
2009-07-07 00:24 . 2007-01-04 21:09 -------- d-----w- c:\documents and settings\Paul Jacobsen\Application Data\Apple Computer
2009-07-05 20:35 . 2009-06-25 23:40 -------- d-----w- c:\program files\DIFX
2009-07-05 20:35 . 2009-07-05 20:35 -------- d-----w- c:\program files\Garmin
2009-07-03 20:51 . 2009-04-24 03:42 -------- d-----w- c:\program files\Lavasoft
2009-07-03 18:21 . 2009-07-03 18:01 -------- d-----w- c:\program files\Common Files\ParetoLogic
2009-07-03 18:21 . 2009-07-03 18:01 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2009-07-02 22:12 . 2009-03-09 23:29 -------- d-----w- c:\program files\MONOGRAM AMR SplitterDecoder
2009-06-29 04:40 . 2009-01-30 17:28 -------- d-----w- c:\documents and settings\All Users\Application Data\28399
2009-06-25 23:46 . 2009-06-25 23:46 -------- d-----w- c:\documents and settings\Paul Jacobsen\Application Data\ATI
2009-06-25 23:46 . 2009-06-25 23:46 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2009-06-25 23:45 . 2009-06-25 23:45 0 ----a-w- c:\windows\ativpsrm.bin
2009-06-25 23:44 . 2009-06-25 23:41 -------- d-----w- c:\program files\Common Files\ATI Technologies
2009-06-25 23:41 . 2006-12-11 21:44 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-25 23:41 . 2009-06-25 23:41 9158 ----a-r- c:\documents and settings\Paul Jacobsen\Application Data\Microsoft\Installer\{89DE67AD-08B8-4699-A55D-CA5C0AF82BF3}\ARPPRODUCTICON.exe
2009-06-24 23:28 . 2006-12-29 23:15 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-06-23 22:00 . 2008-07-08 02:36 -------- d-----w- c:\program files\AIM6
2009-06-23 22:00 . 2006-12-11 21:48 -------- d-----w- c:\program files\Viewpoint
2009-06-23 22:00 . 2006-12-11 21:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-06-23 21:59 . 2007-01-14 22:09 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2009-06-23 18:53 . 2009-06-06 05:59 117760 ----a-w- c:\documents and settings\Paul Jacobsen\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-23 18:50 . 2006-12-11 21:53 -------- d-----w- c:\program files\Yahoo!
2009-06-23 18:47 . 2008-06-29 20:35 -------- d-----w- c:\program files\Windows Live Safety Center
2009-06-11 22:51 . 2006-12-11 22:01 72680 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-10 07:04 . 2006-12-11 21:53 -------- d-----w- c:\program files\Microsoft Works
2009-06-06 05:59 . 2009-06-06 05:59 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-06 05:58 . 2009-06-06 05:58 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-06 05:58 . 2009-06-06 05:58 -------- d-----w- c:\documents and settings\Paul Jacobsen\Application Data\SUPERAntiSpyware.com
2009-06-06 05:58 . 2007-11-16 01:27 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-06 05:35 . 2009-06-06 05:35 11410 ----a-w- c:\documents and settings\Paul Jacobsen\Application Data\ArcSoft\msgdi.dll
2009-06-06 05:35 . 2009-06-06 05:35 10121 ----a-w- c:\documents and settings\Paul Jacobsen\Application Data\AVS4YOU\kern.dll
2009-06-06 05:35 . 2007-12-06 22:20 -------- d-----w- c:\documents and settings\Paul Jacobsen\Application Data\ArcSoft
2009-06-06 05:35 . 2009-06-06 05:35 13221 ----a-w- c:\documents and settings\Paul Jacobsen\Application Data\acccore(2)\rengo.dll
2009-06-04 00:56 . 2006-12-30 00:29 -------- d-----w- c:\program files\World of Warcraft
2009-05-19 05:36 . 2009-06-23 21:59 97072 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\bsetutil.exe
2009-05-19 05:36 . 2009-06-23 21:59 2884832 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\vwpt.exe
2009-05-19 05:36 . 2009-06-23 21:59 28 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\unregister.bat
2009-05-19 05:36 . 2009-06-23 21:59 25 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\register.bat
2009-05-19 05:36 . 2009-06-23 21:59 1484856 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\toolbar.exe
2009-05-19 05:36 . 2009-06-23 21:59 142040 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\alsetup.exe
2009-05-19 05:36 . 2009-06-23 21:59 30512 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\Uninstaller.exe
2009-05-19 05:36 . 2009-06-23 21:59 111920 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\AOLSearch.dll
2009-05-07 15:32 . 2005-08-16 09:18 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2005-08-16 09:18 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2005-08-16 09:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2005-08-16 09:18 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2005-08-16 09:18 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2007-08-29 22:08 . 2007-08-29 22:08 20480 --sha-w- c:\program files\Thumbs.db
2004-03-11 20:55 . 2004-03-11 20:55 71964 ----a-w- c:\program files\sp698ent.inf
2004-03-11 20:55 . 2004-03-11 20:55 4709818 ----a-w- c:\program files\VS6sp64.cab
2004-03-11 20:54 . 2004-03-11 20:54 10010624 ----a-w- c:\program files\VS6sp63.cab
2004-03-11 20:51 . 2004-03-11 20:51 10010624 ----a-w- c:\program files\VS6sp62.cab
2004-03-11 20:47 . 2004-03-11 20:47 28712960 ----a-w- c:\program files\VS6sp61.cab
2004-03-11 20:40 . 2004-03-11 20:40 75871 ------w- c:\program files\sp698ent.stf
2004-03-11 20:40 . 2004-03-11 20:40 1636 ------w- c:\program files\setupsp6.lst
2004-03-11 19:01 . 2004-03-11 19:01 989512 ----a-w- c:\program files\vbrun60.cab
2004-03-11 02:39 . 2004-03-11 02:39 60699 ----a-w- c:\program files\msstdfmt.cab
2004-03-11 02:39 . 2004-03-11 02:39 37721 ----a-w- c:\program files\MSBind.CAB
2004-03-09 21:45 . 2004-03-09 21:45 397072 ----a-w- c:\program files\mswless.ocx
2004-03-09 21:45 . 2004-03-09 21:45 107008 ----a-w- c:\program files\msscript.ocx
2004-02-24 01:35 . 2004-02-24 01:35 3027068 ----a-w- c:\program files\msvbvm60.dbg
2004-02-18 01:56 . 2004-02-18 01:56 110080 ------w- c:\program files\sp698ent.dll
2004-02-18 01:34 . 2004-02-18 01:34 1821920 ----a-w- c:\program files\vcredist.exe
2004-02-17 10:11 . 2004-02-17 10:11 737329 ----a-w- c:\program files\msvcep.dll
2004-02-17 09:36 . 2004-02-17 09:36 708669 ----a-w- c:\program files\msse.dll
2004-02-11 22:36 . 2004-02-11 22:36 6308 ------w- c:\program files\readme.htm
2004-02-11 18:32 . 2004-02-11 18:32 2302 ------w- c:\program files\eula.txt
2003-01-14 19:58 . 2003-01-14 19:58 487481 ----a-w- c:\program files\jscript.dll
2003-01-14 19:58 . 2003-01-14 19:58 438330 ----a-w- c:\program files\vbscript.dll
2001-03-30 16:54 . 2001-03-30 16:54 149 ------w- c:\program files\setup.ini
2000-11-29 20:34 . 2000-11-29 20:34 4291 ------w- c:\program files\toc.htm
2000-07-15 19:43 . 2000-07-15 19:43 84 ------w- c:\program files\setup.tdf
2000-07-15 19:10 . 2000-07-15 19:10 26896 ----a-w- c:\program files\dispex.dll
2000-06-13 17:47 . 2000-06-13 17:47 2718 ------w- c:\program files\redist.txt
2000-06-13 16:08 . 2000-06-13 16:08 46189 ----a-w- c:\program files\ocdb.h
2000-06-13 15:56 . 2000-06-13 15:56 12972 ----a-w- c:\program files\sqloledb.h
2000-06-13 15:52 . 2000-06-13 15:52 3090 ----a-w- c:\program files\adc.h
2000-06-13 15:52 . 2000-06-13 15:52 2289 ----a-w- c:\program files\msremote.h
2000-06-13 15:52 . 2000-06-13 15:52 1387 ----a-w- c:\program files\persist.h
2000-06-13 15:52 . 2000-06-13 15:52 5904 ----a-w- c:\program files\simpdata.tlb
2000-06-13 15:52 . 2000-06-13 15:52 1710 ----a-w- c:\program files\osptk.lib
2000-06-13 15:52 . 2000-06-13 15:52 5797 ----a-w- c:\program files\msdaosp.h
2000-06-13 15:52 . 2000-06-13 15:52 27832 ----a-w- c:\program files\simpdata.h
2000-06-13 15:52 . 2000-06-13 15:52 1432 ----a-w- c:\program files\msdaora.h
2000-06-13 15:51 . 2000-06-13 15:51 31366 ----a-w- c:\program files\oledb.lib
2000-06-13 15:51 . 2000-06-13 15:51 2112 ----a-w- c:\program files\msdasc.lib
2000-06-13 15:51 . 2000-06-13 15:51 2492 ----a-w- c:\program files\msdatsrc.tlb
2000-06-13 15:51 . 2000-06-13 15:51 80300 ----a-w- c:\program files\oledbdep.h
2000-06-13 15:51 . 2000-06-13 15:51 592505 ----a-w- c:\program files\oledb.h
2000-06-13 15:51 . 2000-06-13 15:51 36515 ----a-w- c:\program files\oledberr.h
2000-06-13 15:51 . 2000-06-13 15:51 31675 ----a-w- c:\program files\cmdtree.h
2000-06-13 15:51 . 2000-06-13 15:51 31424 ----a-w- c:\program files\msdasc.h
2000-06-13 15:51 . 2000-06-13 15:51 17975 ----a-w- c:\program files\msdasql.h
2000-06-13 15:51 . 2000-06-13 15:51 1451 ----a-w- c:\program files\msdaguid.h
2000-06-13 15:51 . 2000-06-13 15:51 13176 ----a-w- c:\program files\msdadc.h
2000-06-13 15:51 . 2000-06-13 15:51 12676 ----a-w- c:\program files\msdatsrc.h
2000-06-13 15:47 . 2000-06-13 15:47 75418 ----a-w- c:\program files\odbccp32.lib
2000-06-13 15:47 . 2000-06-13 15:47 146332 ----a-w- c:\program files\odbc32.lib
2000-06-13 15:47 . 2000-06-13 15:47 80246 ----a-w- c:\program files\sqlext.h
2008-03-24 21:19 . 2006-12-30 00:30 88 --sh--r- c:\windows\system32\756A3564C3.sys
2008-03-24 21:19 . 2006-12-30 00:30 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

[-] 2004-08-10 10:00 14336 8F078AE4ED187AAABC0A305146DE6716 c:\windows\$NtServicePackUninstall$\svchost.exe
[7] 2008-04-14 00:12 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\ServicePackFiles\i386\svchost.exe
[-] 2008-04-14 00:12 17408 D41D8CD98F00B204E9800998ECF8427E c:\windows\system32\svchost.exe
[7] 2008-04-14 00:12 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\system32\dllcache\cache\svchost.exe

[-] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\$NtServicePackUninstall$\tcpip.sys
[-] 2008-04-13 19:20 361344 ACCF5A9A1FFAA490F33DBA1C632B95E1 c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2008-06-20 11:51 361600 9425B72F40257B45D45D24773273DAD0 c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 11:51 361600 9425B72F40257B45D45D24773273DAD0 c:\windows\system32\drivers\tcpip.sys

[-] 2004-08-10 10:00 502272 01C3346C241652F43AED8E2149881BFE c:\windows\$NtServicePackUninstall$\winlogon.exe
[7] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-04-14 00:12 512000 D41D8CD98F00B204E9800998ECF8427E c:\windows\system32\winlogon.exe
[7] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\system32\dllcache\cache\winlogon.exe

[-] 2008-04-14 00:12 1036288 D41D8CD98F00B204E9800998ECF8427E c:\windows\explorer.exe
[-] 2007-06-13 11:26 1033216 7712DF0CDDE3A5AC89843E61CD5B3658 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 10:23 1033216 97BD6515465659FF8F3B7BE375B2EA87 c:\windows\$NtServicePackUninstall$\explorer.exe
[7] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\ServicePackFiles\i386\explorer.exe
[7] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\system32\dllcache\cache\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot_2009-07-05_14.39.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-08-16 09:18 . 2008-04-14 00:12 57856 c:\windows\system32\spoolsv.exe
+ 2005-08-16 09:18 . 2008-04-14 00:12 13312 c:\windows\system32\lsass.exe
+ 2009-07-05 20:35 . 2007-03-08 20:18 18432 c:\windows\system32\DRVSTORE\grmnusb_09F3E629557EBE4D2BA1A9469BDAE635AC0807AE\I386\grmngen.sys
+ 2005-08-16 09:18 . 2008-04-14 00:12 57856 c:\windows\system32\dllcache\spoolsv.exe
+ 2005-08-16 09:18 . 2008-04-14 00:12 13312 c:\windows\system32\dllcache\lsass.exe
+ 2009-07-05 15:39 . 2009-07-06 21:52 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-12-29 18:33 . 2009-07-06 21:52 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-12-29 18:33 . 2009-07-05 10:31 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-12-29 18:33 . 2009-07-06 21:52 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-12-29 18:33 . 2009-07-05 10:31 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-07-05 20:35 . 2007-03-08 20:18 8320 c:\windows\system32\DRVSTORE\grmnusb_09F3E629557EBE4D2BA1A9469BDAE635AC0807AE\I386\grmnusb.sys
+ 2005-08-16 09:18 . 2009-02-06 11:06 110592 c:\windows\system32\services.exe
+ 2005-08-16 09:18 . 2009-02-06 11:06 110592 c:\windows\system32\dllcache\services.exe
+ 2009-07-05 20:35 . 2009-07-05 20:35 637952 c:\windows\Installer\14d5c0f.msi
+ 2009-07-05 20:35 . 2009-07-05 20:35 1091584 c:\windows\Installer\14d5c0a.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-16 1630208]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BDARemote.lnk - c:\program files\USB TV\EM28XX\BDARemote.exe [2009-6-25 81997]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"XHZZicfwj"= {E8CE9841-4264-32EB-55BF-6752BDFD4EF2} - c:\windows\system32\ejqtsv.dll [2009-03-21 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\beep.sys]
@="beep"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.4.6314-to-2.0.5.6320-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.5.6320-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Black Isle\\BGII - SoA\\BGMain.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/23/2009 6:00 PM 24652]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [7/20/2007 6:40 PM 93696]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [8/29/2006 12:54 AM 10664]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder

2009-06-24 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-24 17:32]

2009-06-24 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-24 17:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Paul Jacobsen\Application Data\Mozilla\Firefox\Profiles\gjw7b1wl.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-06 20:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1847528650-894552839-4089639203-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5CCCE6BC-0C86-6AB1-2C28-6C0E41335DF7}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"eaonjdjldh"=hex:66,61,6d,70,69,68,66,70,6d,69,64,6b,00,fc
"dajnkdke"=hex:64,62,65,70,63,68,64,6f,62,6e,67,70,64,70,6a,70,61,63,61,6d,63,
69,6b,6f,6c,66,61,6f,61,63,62,6c,69,65,6f,64,66,6f,61,63,00,00
"iagpmohajkinbgpion"=hex:6a,61,68,65,6a,64,65,63,66,6b,63,6d,6c,67,65,70,62,65,
65,6a,00,97
"haepcnochflkoopj"=hex:6a,61,68,65,6a,64,65,63,66,6b,63,6d,6c,67,65,70,62,65,
65,6a,00,1c

[HKEY_USERS\S-1-5-21-1847528650-894552839-4089639203-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6D29E5F7-1322-31FF-E9CD-12BE5B4F8016}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iaodpfehacfnobbdkd"=hex:6a,61,6b,69,70,61,62,6d,65,65,6f,61,70,66,64,69,66,62,
64,63,00,00
"haidkpglakjancfe"=hex:6a,61,6b,69,70,61,62,6d,65,65,6f,61,70,66,64,69,66,62,
64,63,00,12

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(760)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3544)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Dell Network Assistant\hnm_svc.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-07-07 20:31 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-07 00:31
ComboFix2.txt 2009-07-05 14:40
ComboFix3.txt 2009-06-23 18:14

Pre-Run: 106,075,791,360 bytes free
Post-Run: 106,106,933,248 bytes free

506 --- E O F --- 2009-07-06 21:50
Attached Files
File Type: txt log2.txt (39.2 KB, 2 views)
Last edited by Ried; 07-06-2009 at 09:56 PM.
rpaulie is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-06-2009, 10:21 PM   #10 (permalink)
Analyst, Security Team
 
forhockey's Avatar
 
Join Date: Sep 2006
Location: Ontario, Canada
Posts: 2,948
OS: Windows 7 Ultimate


Re: Need assistance removing NTOSKRNL-HOOK
Hello rpaulie,

It should've prompted you to upload a file. Lets not worry about it for now and continue with the cleaning :)

--------------------------------------------------------------

Click Start>Run and copy/paste the following bolded text into the Run box and click OK:

C:\Qoobox\ComboFix-quarantined-files.txt

A report should pop open for you. Please post the contents in your next reply.

--------------------------------------------------------------

Open notepad and copy/paste the text in the quotebox below into it:

Code:
http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/391517-need-assistance-removing-ntoskrnl-hook.html#post2221423

FCopy::
c:\windows\ServicePackFiles\i386\svchost.exe | c:\windows\system32\svchost.exe
c:\windows\ServicePackFiles\i386\explorer.exe | c:\windows\explorer.exe
c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys | c:\windows\system32\drivers\tcpip.sys
RegNull::
[HKEY_USERS\S-1-5-21-1847528650-894552839-4089639203-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5CCCE6BC-0C86-6AB1-2C28-6C0E41335DF7}*]
[HKEY_USERS\S-1-5-21-1847528650-894552839-4089639203-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6D29E5F7-1322-31FF-E9CD-12BE5B4F8016}*]
RegLock::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
DirLook::
c:\documents and settings\All Users\Application Data\28399
Collect::
c:\windows\system32\ejqtsv.dll
Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\beep.sys]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\drivers\\svchost.exe"=-
Save this as CFScript




Referring to the picture above, drag CFScript into Combo-Fix.exe

Follow the prompts, and post the resulting log, C:\ComboFix.txt

Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis. Please submit "[4]-Submit_Date_Time.zip" by following the prompts.

Can you also update me on how your system is behaving?
__________________


Proud Member of ASAP
Proud Member of UNITE

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
forhockey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-07-2009, 08:41 PM   #11 (permalink)
Registered User
 
Join Date: Jul 2009
Posts: 28
OS: Windows XP


Re: Need assistance removing NTOSKRNL-HOOK
Hello there. I was able to get the log, but the program will still not provide the
"[4]-Submit_Date_Time.zip"

Also, the NTOSKRNL-HOOK trojan seems to be removed! When I ran McAfee it was not there

I hope this helps:

ComboFix 09-07-07.A2 - Paul Jacobsen 07/07/2009 20:57.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.615 [GMT -4:00]
Running from: c:\documents and settings\Paul Jacobsen\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Paul Jacobsen\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\169ba1c.msp

Infected copy of c:\windows\system32\svchost.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\svchost.exe

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-06-08 to 2009-07-08 )))))))))))))))))))))))))))))))
.

2009-07-06 04:32 . 2009-07-06 04:32 -------- d-----w- c:\documents and settings\Paul Jacobsen\Application Data\vlc
2009-07-05 20:37 . 2009-07-05 20:37 -------- d-----w- c:\documents and settings\Paul Jacobsen\Application Data\GARMIN
2009-07-05 20:37 . 2009-07-05 20:37 -------- d-----w- c:\program files\Garmin GPS Plugin
2009-06-25 23:40 . 2009-06-25 23:40 -------- d-----w- c:\program files\USB TV
2009-06-25 23:39 . 2008-07-04 01:05 593920 ------w- c:\windows\system32\ati2sgag.exe
2009-06-25 23:39 . 2009-06-25 23:44 -------- d-----w- c:\program files\ATI Technologies
2009-06-25 23:37 . 2009-06-25 23:37 -------- d-----w- C:\AMD
2009-06-25 23:31 . 2009-06-25 23:31 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-06-24 23:26 . 2007-11-22 10:44 33832 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-06-24 23:26 . 2007-12-02 16:51 40488 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-06-24 23:26 . 2007-11-22 10:44 79304 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-06-24 23:26 . 2007-11-22 10:44 35240 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-06-24 23:26 . 2007-11-22 10:44 201320 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-06-24 23:25 . 2007-07-13 10:20 113952 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-06-24 23:25 . 2009-06-24 23:25 -------- d-----w- c:\program files\McAfee.com
2009-06-24 23:25 . 2009-06-24 23:25 -------- d-----w- c:\program files\Common Files\McAfee
2009-06-24 23:25 . 2009-06-25 21:10 -------- d-----w- c:\program files\McAfee
2009-06-23 19:28 . 2009-06-23 19:28 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-23 19:12 . 2009-06-23 19:12 -------- d-----w- c:\documents and settings\Paul Jacobsen\Application Data\Malwarebytes
2009-06-23 19:12 . 2009-06-23 19:12 -------- d-----w- c:\program files\Trend Micro
2009-06-23 19:12 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-23 19:12 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-23 19:12 . 2009-06-23 19:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-23 19:12 . 2009-07-01 18:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-23 19:01 . 2009-06-23 19:01 3584 ----a-r- c:\documents and settings\Paul Jacobsen\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2009-06-23 19:01 . 2009-06-23 19:01 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-06-23 19:01 . 2009-06-23 19:01 -------- d-----w- c:\program files\MSECACHE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-07 00:24 . 2008-06-15 20:29 -------- d-----w- c:\documents and settings\Paul Jacobsen\Application Data\acccore
2009-07-07 00:24 . 2007-01-09 03:46 -------- d-----w- c:\documents and settings\Paul Jacobsen\Application Data\AdobeUM
2009-07-07 00:24 . 2007-01-04 21:09 -------- d-----w- c:\documents and settings\Paul Jacobsen\Application Data\Apple Computer
2009-07-05 20:35 . 2009-06-25 23:40 -------- d-----w- c:\program files\DIFX
2009-07-05 20:35 . 2009-07-05 20:35 -------- d-----w- c:\program files\Garmin
2009-07-03 20:51 . 2009-04-24 03:42 -------- d-----w- c:\program files\Lavasoft
2009-07-03 18:21 . 2009-07-03 18:01 -------- d-----w- c:\program files\Common Files\ParetoLogic
2009-07-03 18:21 . 2009-07-03 18:01 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2009-07-02 22:12 . 2009-03-09 23:29 -------- d-----w- c:\program files\MONOGRAM AMR SplitterDecoder
2009-06-29 04:40 . 2009-01-30 17:28 -------- d-----w- c:\documents and settings\All Users\Application Data\28399
2009-06-25 23:46 . 2009-06-25 23:46 -------- d-----w- c:\documents and settings\Paul Jacobsen\Application Data\ATI
2009-06-25 23:46 . 2009-06-25 23:46 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2009-06-25 23:45 . 2009-06-25 23:45 0 ----a-w- c:\windows\ativpsrm.bin
2009-06-25 23:44 . 2009-06-25 23:41 -------- d-----w- c:\program files\Common Files\ATI Technologies
2009-06-25 23:41 . 2006-12-11 21:44 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-25 23:41 . 2009-06-25 23:41 9158 ----a-r- c:\documents and settings\Paul Jacobsen\Application Data\Microsoft\Installer\{89DE67AD-08B8-4699-A55D-CA5C0AF82BF3}\ARPPRODUCTICON.exe
2009-06-24 23:28 . 2006-12-29 23:15 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-06-23 22:00 . 2008-07-08 02:36 -------- d-----w- c:\program files\AIM6
2009-06-23 22:00 . 2006-12-11 21:48 -------- d-----w- c:\program files\Viewpoint
2009-06-23 22:00 . 2006-12-11 21:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-06-23 21:59 . 2007-01-14 22:09 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2009-06-23 18:53 . 2009-06-06 05:59 117760 ----a-w- c:\documents and settings\Paul Jacobsen\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-23 18:50 . 2006-12-11 21:53 -------- d-----w- c:\program files\Yahoo!
2009-06-23 18:47 . 2008-06-29 20:35 -------- d-----w- c:\program files\Windows Live Safety Center
2009-06-11 22:51 . 2006-12-11 22:01 72680 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-10 07:04 . 2006-12-11 21:53 -------- d-----w- c:\program files\Microsoft Works
2009-06-06 05:59 . 2009-06-06 05:59 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-06 05:58 . 2009-06-06 05:58 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-06 05:58 . 2009-06-06 05:58 -------- d-----w- c:\documents and settings\Paul Jacobsen\Application Data\SUPERAntiSpyware.com
2009-06-06 05:58 . 2007-11-16 01:27 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-06 05:35 . 2009-06-06 05:35 11410 ----a-w- c:\documents and settings\Paul Jacobsen\Application Data\ArcSoft\msgdi.dll
2009-06-06 05:35 . 2009-06-06 05:35 10121 ----a-w- c:\documents and settings\Paul Jacobsen\Application Data\AVS4YOU\kern.dll
2009-06-06 05:35 . 2007-12-06 22:20 -------- d-----w- c:\documents and settings\Paul Jacobsen\Application Data\ArcSoft
2009-06-06 05:35 . 2009-06-06 05:35 13221 ----a-w- c:\documents and settings\Paul Jacobsen\Application Data\acccore(2)\rengo.dll
2009-06-04 00:56 . 2006-12-30 00:29 -------- d-----w- c:\program files\World of Warcraft
2009-05-19 05:36 . 2009-06-23 21:59 97072 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\bsetutil.exe
2009-05-19 05:36 . 2009-06-23 21:59 2884832 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\vwpt.exe
2009-05-19 05:36 . 2009-06-23 21:59 28 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\unregister.bat
2009-05-19 05:36 . 2009-06-23 21:59 25 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\register.bat
2009-05-19 05:36 . 2009-06-23 21:59 1484856 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\toolbar.exe
2009-05-19 05:36 . 2009-06-23 21:59 142040 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\alsetup.exe
2009-05-19 05:36 . 2009-06-23 21:59 30512 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\Uninstaller.exe
2009-05-19 05:36 . 2009-06-23 21:59 111920 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\AOLSearch.dll
2009-05-07 15:32 . 2005-08-16 09:18 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2005-08-16 09:18 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2005-08-16 09:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2005-08-16 09:18 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2005-08-16 09:18 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2007-08-29 22:08 . 2007-08-29 22:08 20480 --sha-w- c:\program files\Thumbs.db
2004-03-11 20:55 . 2004-03-11 20:55 71964 ----a-w- c:\program files\sp698ent.inf
2004-03-11 20:55 . 2004-03-11 20:55 4709818 ----a-w- c:\program files\VS6sp64.cab
2004-03-11 20:54 . 2004-03-11 20:54 10010624 ----a-w- c:\program files\VS6sp63.cab
2004-03-11 20:51 . 2004-03-11 20:51 10010624 ----a-w- c:\program files\VS6sp62.cab
2004-03-11 20:47 . 2004-03-11 20:47 28712960 ----a-w- c:\program files\VS6sp61.cab
2004-03-11 20:40 . 2004-03-11 20:40 75871 ------w- c:\program files\sp698ent.stf
2004-03-11 20:40 . 2004-03-11 20:40 1636 ------w- c:\program files\setupsp6.lst
2004-03-11 19:01 . 2004-03-11 19:01 989512 ----a-w- c:\program files\vbrun60.cab
2004-03-11 02:39 . 2004-03-11 02:39 60699 ----a-w- c:\program files\msstdfmt.cab
2004-03-11 02:39 . 2004-03-11 02:39 37721 ----a-w- c:\program files\MSBind.CAB
2004-03-09 21:45 . 2004-03-09 21:45 397072 ----a-w- c:\program files\mswless.ocx
2004-03-09 21:45 . 2004-03-09 21:45 107008 ----a-w- c:\program files\msscript.ocx
2004-02-24 01:35 . 2004-02-24 01:35 3027068 ----a-w- c:\program files\msvbvm60.dbg
2004-02-18 01:56 . 2004-02-18 01:56 110080 ------w- c:\program files\sp698ent.dll
2004-02-18 01:34 . 2004-02-18 01:34 1821920 ----a-w- c:\program files\vcredist.exe
2004-02-17 10:11 . 2004-02-17 10:11 737329 ----a-w- c:\program files\msvcep.dll
2004-02-17 09:36 . 2004-02-17 09:36 708669 ----a-w- c:\program files\msse.dll
2004-02-11 22:36 . 2004-02-11 22:36 6308 ------w- c:\program files\readme.htm
2004-02-11 18:32 . 2004-02-11 18:32 2302 ------w- c:\program files\eula.txt
2003-01-14 19:58 . 2003-01-14 19:58 487481 ----a-w- c:\program files\jscript.dll
2003-01-14 19:58 . 2003-01-14 19:58 438330 ----a-w- c:\program files\vbscript.dll
2001-03-30 16:54 . 2001-03-30 16:54 149 ------w- c:\program files\setup.ini
2000-11-29 20:34 . 2000-11-29 20:34 4291 ------w- c:\program files\toc.htm
2000-07-15 19:43 . 2000-07-15 19:43 84 ------w- c:\program files\setup.tdf
2000-07-15 19:10 . 2000-07-15 19:10 26896 ----a-w- c:\program files\dispex.dll
2000-06-13 17:47 . 2000-06-13 17:47 2718 ------w- c:\program files\redist.txt
2000-06-13 16:08 . 2000-06-13 16:08 46189 ----a-w- c:\program files\ocdb.h
2000-06-13 15:56 . 2000-06-13 15:56 12972 ----a-w- c:\program files\sqloledb.h
2000-06-13 15:52 . 2000-06-13 15:52 3090 ----a-w- c:\program files\adc.h
2000-06-13 15:52 . 2000-06-13 15:52 2289 ----a-w- c:\program files\msremote.h
2000-06-13 15:52 . 2000-06-13 15:52 1387 ----a-w- c:\program files\persist.h
2000-06-13 15:52 . 2000-06-13 15:52 5904 ----a-w- c:\program files\simpdata.tlb
2000-06-13 15:52 . 2000-06-13 15:52 1710 ----a-w- c:\program files\osptk.lib
2000-06-13 15:52 . 2000-06-13 15:52 5797 ----a-w- c:\program files\msdaosp.h
2000-06-13 15:52 . 2000-06-13 15:52 27832 ----a-w- c:\program files\simpdata.h
2000-06-13 15:52 . 2000-06-13 15:52 1432 ----a-w- c:\program files\msdaora.h
2000-06-13 15:51 . 2000-06-13 15:51 31366 ----a-w- c:\program files\oledb.lib
2000-06-13 15:51 . 2000-06-13 15:51 2112 ----a-w- c:\program files\msdasc.lib
2000-06-13 15:51 . 2000-06-13 15:51 2492 ----a-w- c:\program files\msdatsrc.tlb
2000-06-13 15:51 . 2000-06-13 15:51 80300 ----a-w- c:\program files\oledbdep.h
2000-06-13 15:51 . 2000-06-13 15:51 592505 ----a-w- c:\program files\oledb.h
2000-06-13 15:51 . 2000-06-13 15:51 36515 ----a-w- c:\program files\oledberr.h
2000-06-13 15:51 . 2000-06-13 15:51 31675 ----a-w- c:\program files\cmdtree.h
2000-06-13 15:51 . 2000-06-13 15:51 31424 ----a-w- c:\program files\msdasc.h
2000-06-13 15:51 . 2000-06-13 15:51 17975 ----a-w- c:\program files\msdasql.h
2000-06-13 15:51 . 2000-06-13 15:51 1451 ----a-w- c:\program files\msdaguid.h
2000-06-13 15:51 . 2000-06-13 15:51 13176 ----a-w- c:\program files\msdadc.h
2000-06-13 15:51 . 2000-06-13 15:51 12676 ----a-w- c:\program files\msdatsrc.h
2000-06-13 15:47 . 2000-06-13 15:47 75418 ----a-w- c:\program files\odbccp32.lib
2000-06-13 15:47 . 2000-06-13 15:47 146332 ----a-w- c:\program files\odbc32.lib
2000-06-13 15:47 . 2000-06-13 15:47 80246 ----a-w- c:\program files\sqlext.h
2008-03-24 21:19 . 2006-12-30 00:30 88 --sh--r- c:\windows\system32\756A3564C3.sys
2008-03-24 21:19 . 2006-12-30 00:30 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

[-] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\$NtServicePackUninstall$\tcpip.sys
[-] 2008-04-13 19:20 361344 ACCF5A9A1FFAA490F33DBA1C632B95E1 c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2008-06-20 11:51 361600 9425B72F40257B45D45D24773273DAD0 c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 11:51 361600 9425B72F40257B45D45D24773273DAD0 c:\windows\system32\drivers\tcpip.sys

[-] 2004-08-10 10:00 502272 01C3346C241652F43AED8E2149881BFE c:\windows\$NtServicePackUninstall$\winlogon.exe
[7] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-04-14 00:12 512000 D41D8CD98F00B204E9800998ECF8427E c:\windows\system32\winlogon.exe
[7] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\system32\dllcache\cache\winlogon.exe

[-] 2008-04-14 00:12 1036288 D41D8CD98F00B204E9800998ECF8427E c:\windows\explorer.exe
[-] 2007-06-13 11:26 1033216 7712DF0CDDE3A5AC89843E61CD5B3658 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 10:23 1033216 97BD6515465659FF8F3B7BE375B2EA87 c:\windows\$NtServicePackUninstall$\explorer.exe
[7] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\ServicePackFiles\i386\explorer.exe
[7] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\system32\dllcache\cache\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot_2009-07-05_14.39.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-08-16 09:18 . 2008-04-14 00:12 14336 c:\windows\system32\svchost.exe
+ 2005-08-16 09:18 . 2008-04-14 00:12 57856 c:\windows\system32\spoolsv.exe
+ 2005-08-16 09:18 . 2008-04-14 00:12 13312 c:\windows\system32\lsass.exe
+ 2009-07-05 20:35 . 2007-03-08 20:18 18432 c:\windows\system32\DRVSTORE\grmnusb_09F3E629557EBE4D2BA1A9469BDAE635AC0807AE\I386\grmngen.sys
+ 2005-08-16 09:18 . 2008-04-14 00:12 14336 c:\windows\system32\dllcache\svchost.exe
+ 2005-08-16 09:18 . 2008-04-14 00:12 57856 c:\windows\system32\dllcache\spoolsv.exe
+ 2005-08-16 09:18 . 2008-04-14 00:12 13312 c:\windows\system32\dllcache\lsass.exe
+ 2006-12-29 18:33 . 2009-07-07 22:04 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-12-29 18:33 . 2009-07-05 10:31 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-12-29 18:33 . 2009-07-05 10:31 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2006-12-29 18:33 . 2009-07-07 22:04 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-07-05 20:35 . 2007-03-08 20:18 8320 c:\windows\system32\DRVSTORE\grmnusb_09F3E629557EBE4D2BA1A9469BDAE635AC0807AE\I386\grmnusb.sys
+ 2005-08-16 09:18 . 2009-02-06 11:06 110592 c:\windows\system32\services.exe
+ 2005-08-16 09:18 . 2009-02-06 11:06 110592 c:\windows\system32\dllcache\services.exe
+ 2009-07-05 20:35 . 2009-07-05 20:35 637952 c:\windows\Installer\14d5c0f.msi
+ 2009-07-05 20:35 . 2009-07-05 20:35 1091584 c:\windows\Installer\14d5c0a.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-16 1630208]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BDARemote.lnk - c:\program files\USB TV\EM28XX\BDARemote.exe [2009-6-25 81997]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"XHZZicfwj"= {E8CE9841-4264-32EB-55BF-6752BDFD4EF2} - c:\windows\system32\ejqtsv.dll [2009-03-21 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\beep.sys]
@="beep"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.4.6314-to-2.0.5.6320-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.5.6320-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Black Isle\\BGII - SoA\\BGMain.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/23/2009 6:00 PM 24652]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [7/20/2007 6:40 PM 93696]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [8/29/2006 12:54 AM 10664]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder

2009-06-24 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-24 17:32]

2009-06-24 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-24 17:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Paul Jacobsen\Application Data\Mozilla\Firefox\Profiles\gjw7b1wl.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-07 21:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1847528650-894552839-4089639203-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5CCCE6BC-0C86-6AB1-2C28-6C0E41335DF7}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"eaonjdjldh"=hex:66,61,6d,70,69,68,66,70,6d,69,64,6b,00,fc
"dajnkdke"=hex:64,62,65,70,63,68,64,6f,62,6e,67,70,64,70,6a,70,61,63,61,6d,63,
69,6b,6f,6c,66,61,6f,61,63,62,6c,69,65,6f,64,66,6f,61,63,00,00
"iagpmohajkinbgpion"=hex:6a,61,68,65,6a,64,65,63,66,6b,63,6d,6c,67,65,70,62,65,
65,6a,00,97
"haepcnochflkoopj"=hex:6a,61,68,65,6a,64,65,63,66,6b,63,6d,6c,67,65,70,62,65,
65,6a,00,1c

[HKEY_USERS\S-1-5-21-1847528650-894552839-4089639203-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6D29E5F7-1322-31FF-E9CD-12BE5B4F8016}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iaodpfehacfnobbdkd"=hex:6a,61,6b,69,70,61,62,6d,65,65,6f,61,70,66,64,69,66,62,
64,63,00,00
"haidkpglakjancfe"=hex:6a,61,6b,69,70,61,62,6d,65,65,6f,61,70,66,64,69,66,62,
64,63,00,12

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(760)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1712)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Dell Network Assistant\hnm_svc.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\freecell.exe
.
**************************************************************************
.
Completion time: 2009-07-08 21:08 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-08 01:08
ComboFix2.txt 2009-07-07 00:31
ComboFix3.txt 2009-07-05 14:40
ComboFix4.txt 2009-06-23 18:14

Pre-Run: 106,127,548,416 bytes free
Post-Run: 106,103,193,600 bytes free

418 --- E O F --- 2009-07-07 07:02
rpaulie is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-07-2009, 10:46 PM   #12 (permalink)
Analyst, Security Team
 
forhockey's Avatar
 
Join Date: Sep 2006
Location: Ontario, Canada
Posts: 2,948
OS: Windows 7 Ultimate


Re: Need assistance removing NTOSKRNL-HOOK
Hi rpaulie,

There is still a few things we need to fix here, so please stick with me.

We'll come back to the "[4]-Submit_Date_Time.zip" file in a few posts.

--------------------------------------------------------------

Please download the CFScript.txt that I've created here and save it to your desktop.




Referring to the picture above, drag the downloaded CFScript into Combo-Fix.exe

Follow the prompts, and post the resulting log, C:\ComboFix.txt

Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Attached Files
File Type: txt CFScript1.txt (1.3 KB, 8 views)
__________________


Proud Member of ASAP
Proud Member of UNITE

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
Last edited by Ried; 07-09-2009 at 10:43 PM. Reason: renamed original upload so could attach another
forhockey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-09-2009, 10:12 PM   #13 (permalink)
Registered User
 
Join Date: Jul 2009
Posts: 28
OS: Windows XP


Re: Need assistance removing NTOSKRNL-HOOK
I ran the CFScript through ComboFix like you instructed but when my computer rebooted, all the icons are gone and all I can now access is the task manager!

I tried doing a system restore but nothing is working anymore!

I have no idea how to resolve this matter. Please assist.

Thank you
rpaulie is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-09-2009, 11:27 PM   #14 (permalink)
Analyst, Security Team
 
forhockey's Avatar
 
Join Date: Sep 2006
Location: Ontario, Canada
Posts: 2,948
OS: Windows 7 Ultimate


Re: Need assistance removing NTOSKRNL-HOOK
Hello rpaulie,

Open up Task Manager>File>New Task (Run..) type explorer.exe into the textbox and click OK.

Does this launch your desktop with all your icons?

-----------------------------------------------------------------

I'll need to see your log from the previous run of ComboFix to see what is going on.

Open up Task Manager>File>New Task (Run..) Copy paste the following in bold into the textbox:

C:\ComboFix.txt Click OK.

This will open the log. Please copy and paste the log in your reply.



If for some reason you cannot open internet explorer, then do the following:

Open up Task Manager>File>New Task (Run..) type iexplore.exe into the textbox and click OK.
__________________


Proud Member of ASAP
Proud Member of UNITE

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
forhockey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-10-2009, 07:22 AM   #15 (permalink)
Registered User
 
Join Date: Jul 2009
Posts: 28
OS: Windows XP


Re: Need assistance removing NTOSKRNL-HOOK
Hello,

Unfortunately, explorer.exe does not do the job. Only a black screen briefly appears for a split second and then it vanishes.

Also, when I type in C:\ComboFix.txt, I get a screen stating Windows cannot find it

The first time it happened, I attempted to reboot the computer but that gave me no results either..

I could not find anything on the Qoobox Folder Either.
Last edited by rpaulie; 07-10-2009 at 07:33 AM.
rpaulie is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-10-2009, 01:01 PM   #16 (permalink)
Analyst, Security Team
 
forhockey's Avatar
 
Join Date: Sep 2006
Location: Ontario, Canada
Posts: 2,948
OS: Windows 7 Ultimate


Re: Need assistance removing NTOSKRNL-HOOK
Hello,

Open up Task Manager>File>New Task (Run..) Copy paste the following in bold into the textbox:

c:\windows\erdnt\subs\erdnt.con
Click OK.

Wait for the program to finish, then reboot.

Please let me the state of your system after reboot.
__________________


Proud Member of ASAP
Proud Member of UNITE

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
forhockey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-10-2009, 01:13 PM   #17 (permalink)
Registered User
 
Join Date: Jul 2009
Posts: 28
OS: Windows XP


Re: Need assistance removing NTOSKRNL-HOOK
I received a message returning stating Windows could not open the file.

Is there a program you recommend?
rpaulie is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-10-2009, 11:27 PM   #18 (permalink)
Analyst, Security Team
 
forhockey's Avatar
 
Join Date: Sep 2006
Location: Ontario, Canada
Posts: 2,948
OS: Windows 7 Ultimate


Re: Need assistance removing NTOSKRNL-HOOK
Hrm... Lets try another approach.

1. Restart your computer
2. Before Windows loads, you will be prompted to choose which Operating System to start
3. Use the up and down arrow key to select Microsoft Windows Recovery Console
4. You must enter which Windows installation to log onto. Type 1 and press enter.
5. At the C:\Windows prompt, type the following bolded text, and press Enter:

cd erdnt\subs

6. At the next prompt, type the following bolded text, and press Enter:

batch erdnt.con

7. The erunt backups will begin copying.
8. At the next prompt, type the following bolded text, and press Enter:

exit

Windows will now begin loading.

-------------------------------------------------

Please let me know if this works.
__________________


Proud Member of ASAP
Proud Member of UNITE

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
forhockey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-11-2009, 09:57 AM   #19 (permalink)
Registered User
 
Join Date: Jul 2009
Posts: 28
OS: Windows XP


Re: Need assistance removing NTOSKRNL-HOOK
I'm Sorry.

No Success. When I entered the option for the Microsoft Windows Recovery Console I received the Blue Screen of Doom when choosing that option. This happened 5 times in a row.

I remember it working previously before this all happened
Last edited by rpaulie; 07-11-2009 at 10:01 AM.
rpaulie is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-11-2009, 10:58 AM   #20 (permalink)
Analyst, Security Team
 
forhockey's Avatar
 
Join Date: Sep 2006
Location: Ontario, Canada
Posts: 2,948
OS: Windows 7 Ultimate


Re: Need assistance removing NTOSKRNL-HOOK
Hi rpaulie,

Lets try and stay calm here. There are plenty of options left that we can try.

Please start your computer up in normal mode

Open up Task Manager>File>New Task (Run..) Copy paste the following into the textbox:

C:\WINDOWS\ERDNT\subs\erdnt.exe Click OK.

Let the program run. Restart after the program is done.

Please update me on the status of your system now.
__________________


Proud Member of ASAP
Proud Member of UNITE

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
forhockey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 
Page 1 of 3 1 23

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 07:34 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85